Aperçu
Elasticsearch versions before 1.3.8 and 1.4.x before 1.4.3 contain a critical sandbox bypass vulnerability in the Groovy scripting engine. This allows remote attackers to execute arbitrary shell commands by crafting malicious Groovy scripts. The vulnerability enables complete system compromise without requiring authentication. La vulnérabilité a été divulguée le February 17, 2015. CISA a identifié CVE-2015-1427 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Elasticsearch's Groovy scripting engine contained a sandbox bypass vulnerability that allowed attackers to escape the sandbox restrictions and execute arbitrary shell commands on the server. The vulnerability existed in how Elasticsearch processed and executed Groovy scripts submitted through the script parameter in search queries and other API endpoints. Attackers could craft specially designed Groovy code that leveraged Java reflection and method invocation to access system-level functionality, bypassing the intended security sandbox that was meant to restrict script execution.
La vulnérabilité est classifiée comme CWE-94 (Improper Control of Generation of Code ('Code Injection')) , CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')) etCWE-265 (Incorrect Privilege Assignment) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
This vulnerability allows unauthenticated remote attackers to gain complete control over affected Elasticsearch servers. Attackers can execute arbitrary shell commands with the privileges of the Elasticsearch process, typically the user running the Elasticsearch service. This enables attackers to: read sensitive data from the index database, install malware or backdoors, pivot to other systems on the network, delete or corrupt data, and cause denial of service. The lack of authentication requirements makes this vulnerability extremely dangerous, as it can be exploited by any attacker with network access to the Elasticsearch port (typically 9200).
Mitigation et contournements
Upgrade Elasticsearch to version 1.3.8 or 1.4.3 or later. Download the appropriate version from elastic.co and follow the upgrade procedure. For Elasticsearch 1.x: Stop the running instance, replace the installation files, and restart the service. Alternatively, disable Groovy scripting entirely by setting 'script.disable_dynamic: true' in elasticsearch.yml if immediate patching is not possible. Les versions suivantes incluent les correctifs nécessaires : 1.3.8, 1.4.3, 1.5.0 and later.
Comme contournements temporaires : disable dynamic scripting by adding 'script.disable_dynamic: true' to elasticsearch.yml and restarting elasticsearch. this completely disables the ability to use dynamic scripts while allowing stored scripts to continue functioning if they were created before the setting was enabled.; restrict network access to the elasticsearch rest api port (9200 by default) using firewall rules, network segmentation, or security groups. only allow trusted clients to connect to elasticsearch., et disable the groovy scripting language specifically by setting 'script.groovy.sandbox.collections_access_allowed: false' and restricting other scripting options in elasticsearch.yml..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
